dds security - omg.org · • dds security is still dds • decoupled, flexible, scalable...
TRANSCRIPT
11/16/2017 Copyright © 2017 OMG. All rights reserved. 1
DDS Security Nina Tucker Twin Oaks Computing VP Technology March 2018
• DDS is a Data-Centric Communications Middleware • Distributed Data Communications – no brokers required • System Components are Decoupled • Robust infrastructure for critical systems • Scalable from edge to cloud, from bare metal to servers
Data Distribution Service
3/18/18 Copyright © 2017 OMG. All rights reserved. 2
Publisher Subscriber
Client
Publisher
Service
Subscriber
• DomainParticipant
• Associated with a Domain
• Communicates with other DomainParticipants in the same Domain
• Contains DataWriters, DataReaders, Topics
• DataWriters and DataReaders are “matched” during Discovery
• DataWriter publishes data on a Topic
• DataReader subscribes to a Topic
• Each Topic has a defined Data Type
DDS Architecture and Terminology
3/18/18 Copyright © 2017 OMG. All rights reserved. 3
• Automatic • No configuration of IP address, port numbers, servers, or brokers • Peers may be on the same machine or across a network • Simply indicate your intent to publish or subscribe, and start writing/reading
• Dynamic • Peers may come and go, or move at any time • Publishers and Subscribers may be created an deleted • Networks may be disconnected and reconnected
DDS Discovery
3/18/18 Copyright © 2017 OMG. All rights reserved. 4
DDS Configurability: QoS
3/18/18 Copyright © 2017 OMG. All rights reserved. 5
Cyber Threats Real World Examples
6
Example Threat Analysis
3/18/18 Copyright © 2017 OMG. All rights reserved. 7
SWARMS Case Study
3/18/18 Copyright © 2017 OMG. All rights reserved. 8
Corrosion Prevention
Pollution Monitoring Plume Tracking
Seabed mapping Berm Building
• Threat Analysis
• Take over of unmanned and autonomous vehicles • Oil / gas lines • Military / civilian vessels
• Unauthenticated drone infiltrating swarm
• Release of Confidential Information
• Information on drone mission, capability • Nature of items found on sea floor (weapons, e.g.) • Environmental data
SWARMS Case Study
3/18/18 Copyright © 2017 OMG. All rights reserved. 9
Duke Energy Emerging Technology Office
OpenFMB Cyber Security Overview
Example Threat Analysis
3/18/18 Copyright © 2017 OMG. All rights reserved. 10
OpenFMB Case Study
3/18/18 Copyright © 2017 OMG. All rights reserved. 11
Node
3G, LTE, Wi-Fi, Fiber,
Ethernet, RF ISM, or PLC
Node
Key Observations: 1. Single-Purpose Functions 2. Proprietary & Silo’ed systems 3. Latent , Error-prone Data 4. OT/IT/Telecom Disconnected 5. No Field Interoperability!
UTILITY CENTRAL OFFICE
Head End A
Vendor A Solution Private Carrier
R
Head End C
Vendor C Solution
Public Carrier
900MHz ISM
Enterprise Service Bus
Head End B
Vendor B Solution Proprietar
y Network
R UTILITY CENTRAL OFFICE
Head End A
Head End B
Head End C
Enterprise Service Bus
Open Field Message Bus
Any Medium
CIM DNP3
61850+CIM IoT Pub/Sub
Key Observations: 1. Multi-Purpose Functions 2. Modular & Scalable HW&SW 3. End-to-End Situational Awareness 4. OT/IT/Telecom Convergence 5. True Field Interoperability!
Sunspec Modbus
C12.22 or CoAP
MESA DNP3
61850 GOOSE
• Loss of power, small areas to wide scale • Loss of life • Safety and Security Issues • Failure of critical infrastructure operation
• Masquerade / Takeover control applications • Control the Switch / Breaker / Recloser / Voltage Regulator / PCC • Spoof Status • Change Setpoints, Disable Protection • Drive Distributed Denial-of-Service attack (DDoS)
OpenFMB Case Study
3/18/18 Copyright © 2017 OMG. All rights reserved. 12
Cyber Security Elements
13
Identification and Authentication
3/18/18 Copyright © 2017 OMG. All rights reserved. 14
• I&A: Identification & Authentication
• Who is this participant on the network?
• Do I trust this participant is who he claims?
• Is this participant authorized to be part of these communications?
Access Control
3/18/18 Copyright © 2017 OMG. All rights reserved. 15
• Access Control
• Is checked after Identification & Authentication
• Does this participant have permission to join the network?
• Does this participant have read and/or write access on the network?
• Integrity • Has the data been tampered with?
• Confidentiality
• Hide the data, keep it secret
Integrity and Confidentiality
3/18/18 Copyright © 2017 OMG. All rights reserved. 16
DDS Security The Basics
17
• Secure communications solution fully integrated into the DDS architecture
• Standardized API and wire protocol for Portability and Interoperability
• Covers all aspects of secure communications, including: • Authentication • Integrity • Confidentiality • Access Control
• Plug-in model
• Standardized • User defined
DDS Security
3/18/18 Copyright © 2017 OMG. All rights reserved. 18
Unauthorized Publisher
Unauthorized Subscriber
Packet Sniffer
Authorized Publisher
Authorized Service
Authorized Subscriber
19
• DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms • Powerful configurability
• Scalable high-performance Security
• Topic-by-Topic configuration (not transport-level configuration)
Why DDS Security
3/18/18 Copyright © 2017 OMG. All rights reserved. 20
Periodic Data Control Data
Config Data
Periodic Data
Control Data
Config Data
Topic Level Configuration Transport Level Configuration
Who Uses DDS Security
3/18/18 Copyright © 2017 OMG. All rights reserved. 21
• Military: • Avionics • Naval • Unmanned Vehicles • Ground Stations
• Commercial:
• IIoT Systems • Avionics • Automotive • Consumer Electronics • Energy Solutions / Smart Grid • Medical Devices
DDS Security: Plug-in Architecture
3/18/18 Copyright © 2017 OMG. All rights reserved. 22
• Standardized API • Interface between modules
and DDS Security protocols • Modules may be Standard
or Custom • Includes all aspects of
secure communications
• Standardized modules • Interoperable • Use common crypto
algorithms
Logging Plugin
Authentication Plugin
Access Control Plugin
Cryptographic Plugin
Stan
dard
ized
Plu
gin
API
Security
3/18/18 Copyright © 2017 OMG. All rights reserved. 23
• Standardized Plugin Modules • PKI + GCM + GMAC • AES 256 • ECDH Key Derivation
• Interoperable
Logging Plugin Security Events
Authentication Plugin
PKI Crypto
Access Control Plugin
Fine grain Control Data Tagging
Cryptographic Plugin
GCM/GMAC AES 256
ECDH Key Derivation Forward Secrecy St
anda
rdiz
ed P
lugi
n AP
I Security
• Apply security policies • Integrity / Encryption / Access Controls
• With fine grained controls • Individual Topics • Application Data, Discovery Data, Liveliness Data
DDS Security: Configurability
3/18/18 Copyright © 2017 OMG. All rights reserved. 24
Periodic Data: Discovery Open, Data Integrity
Control Data: Discovery Open, Data Encrypted
Config Data: Discovery Encrypted, Data Encrypted
DDS Security Components
3/18/18 Copyright © 2017 OMG. All rights reserved. 25
Secure Subscriber
Secure Publisher
Permissions Certificate
Authority (CA)
Domain Governance
Identity
Permissions Permissions Identity
Identity Certificate
Authority (CA)
DDS Security Live Demonstration
26
DDS Security Overview
3/18/18 Copyright © 2017 OMG. All rights reserved. 27
• Covers all Aspects of secure communications • Authentication • Access Control • Integrity • Confidentiality
• Full Configuration Flexibility on a Topic-by-Topic basis
• State-of-the-art Security Technologies • PKI Crypto • GCM/GMAC, AES • Forward Secrecy
• Maintains key benefits of DDS:
• Distributed Data Communications – no brokers required • System Components are Decoupled • Robust infrastructure for critical systems • Scalable from edge to cloud, from bare metal to servers
Unauthorized Publisher
Authorized Subscriber
Unauthorized Subscriber
Authorized Subscriber,
Unauthorized Publisher
Unauthorized Packet Sniffer
Authorized Publisher
Thank you! Nina Tucker [email protected] http://www.twinoakscomputing.com
28